CVE-2025-7558 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Voting System, specifically within the /admin/positions_add.php file. The vulnerability arises from improper sanitization or validation of the 'description' parameter, which allows an attacker to inject malicious SQL code. This injection can be executed remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability has a CVSS 4.0 base score of 5.3, categorized as medium severity. The attack vector is network-based with low attack complexity and no user interaction needed, but it requires low privileges (PR:L), meaning an attacker must have some level of authenticated access, likely as a low-privileged user. The impact on confidentiality, integrity, and availability is low, suggesting that while the injection can manipulate or access some data, it may not lead to full system compromise or data exfiltration. No public exploits are currently known in the wild, and no patches have been linked yet. The vulnerability affects a niche product used for voting systems, which may be deployed in organizational or institutional contexts where voting or polling is conducted electronically. The lack of a patch and public exploit disclosure means organizations using this system should prioritize mitigation to prevent potential exploitation.

For European organizations using the code-projects Voting System 1.0, this vulnerability could allow an attacker with low-level authenticated access to manipulate the voting system's backend database via SQL injection. This could lead to unauthorized modification of voting positions or descriptions, potentially undermining the integrity of voting results. While the impact on confidentiality and availability is low, the integrity compromise in a voting context is critical as it can affect decision-making processes, trust in electronic voting, and compliance with regulations on election integrity. Organizations involved in political, corporate, or community voting processes could face reputational damage and legal consequences if the voting data is tampered with. The remote exploitability increases the risk of attacks originating from outside the organization's network, especially if administrative interfaces are exposed or weakly protected. Given the medium severity and the requirement for low privileges, insider threats or compromised low-level accounts could be leveraged to exploit this vulnerability.

1. Immediately restrict access to the /admin/positions_add.php interface to trusted administrators only, ideally via VPN or secure internal networks. 2. Implement strict input validation and parameterized queries or prepared statements in the codebase to eliminate SQL injection vectors, focusing on sanitizing the 'description' parameter. 3. Conduct a thorough code audit of all input handling in the Voting System to identify and remediate similar injection flaws. 4. Monitor logs for unusual database queries or failed injection attempts to detect exploitation attempts early. 5. If possible, isolate the voting system backend from direct internet exposure and enforce multi-factor authentication for all administrative accounts to reduce the risk of low-privilege account compromise. 6. Engage with the vendor or community maintaining the code-projects Voting System to obtain or develop patches addressing this vulnerability. 7. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoint until a patch is available.